MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e24de4c134736acb2b1342770c1a9d2402180f58b3c90c2c2bc06d85c6484760. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e24de4c134736acb2b1342770c1a9d2402180f58b3c90c2c2bc06d85c6484760
SHA3-384 hash: 8a4f7cf6a89b3a1a6a919804f74d17ef77d65d5e852ec03354d1cd2a3ee58b77d6dc8204fa673feded23c6bf81d288a8
SHA1 hash: 1984d6242a9b15a076d5afc7451d07ff1fcc5418
MD5 hash: a82234a9166a3070b5969ce4be875345
humanhash: juliet-ohio-blossom-oxygen
File name:Orders.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:833'024 bytes
First seen:2020-06-08 07:34:37 UTC
Last seen:2020-06-08 09:12:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 79c2c767a803ce5a1d9cb231e7f92fe5 (3 x FormBook)
ssdeep 12288:BsMvEKOq2hhRjWRawDIwoVByJ8ksvcro/e:BsyErtRjMYBWr
Threatray 5'488 similar samples on MalwareBazaar
TLSH D4055C23A1F0CFF3C1A6263B7C0A77656C5D7D1C6D64B84A67E83E08EE3D681A915183
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: moon.vivawebhost.com
Sending IP: 78.128.60.41
From: Kerry Leung <sales@ctgbrands.com>
Reply-To: coolskyho@gmail.com
Subject: NEW PO M00T2009 7009
Attachment: Orders.rar (contains "Orders.exe")

FormBook payload URL:
https://cdn.discordapp.com/attachments/717301698174910538/719282500987387956/WyksMNB

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 00:15:19 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4jg6jqjuonvmwkytij3qygu5eqbbqd2ywpeqylblybwylrsii5qa._file
Verdict:
malicious
Similar samples:
0098bf2ef8230d9bb30b451868272ffb271fe63a8c248bfc9ce569991c19f279
Formbook
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
Formbook
179043e8eb7c06144c67f58b2c2900ad10303862c0e5cd7e1fe5a4faf853f103
Formbook
228e2e5ff30fec5cdde918f48e98664d9bf1f77f550666baa21208ca9b047af4
Formbook
2bd1995c8c2b3f35906807ce4697151cf801af339579cd7b86e467df6474dafa
Formbook
9a1bbd02f1dc5ae62f13a00f38067354bf8a754e72e3ebee49a8b6aaa7b7e41f
Formbook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
Formbook
b1ab330d8407adbc0731fd66b869bca53515ccf732d1ad498515e5e04f993de4
Formbook
b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663
Formbook
ce8ca575299e642a92b4ad5f8f766704aeece8fece132037ac902fc94b992bc8
Formbook
+ 5'478 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader
Link:
https://tria.ge/reports/201109-89czm5d6fe/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 1d194485c76f5f8488c7dc70cf54f2a12aff37087c6168e981966fd4f7ff00c6

Formbook

Executable exe e24de4c134736acb2b1342770c1a9d2402180f58b3c90c2c2bc06d85c6484760

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/383096/
  
Dropped by
MD5 82f22500e4e5df796f483b89c20e0e16
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1d194485c76f5f8488c7dc70cf54f2a12aff37087c6168e981966fd4f7ff00c6

Comments